wuziyi616 / if-defense Goto Github PK

Thanks for your great work! I'm confused about when to implement the SOR or the SRS defense. I check several related works and find two settings:

Setting1

In the code of CVPR'22 Shape-Invariant-Attack, they put the defense (e.g., SOR) in BOTH attack iteration and attack process. This can simulate settings where attackers get complete information of the model AND defense methods.

Setting2

I tried the situation where the attackers do not know the defense methods (e.g., don't use defense in the attack iterations). In this setting, the accuracy essentially increases, which is expected.

I re-implement the drop-200 attack with the SOR defense under the above two settings. The adversarial accuracy of 1st setting is 46.1, which is close to your paper results (42.6). The result of the 2nd setting is 35.2.

I find you load adversarial points from files in defend_npz.py, which seems to be the Setting2. I just wonder which setting you adopted in your paper. If you adopt Setting2, have you tried to test the performance of IF-Defense under Setting1, will the defense performance still be good?

Hi ziyi. In hybrid training, you provided MN40, convonet_opt_MN40, onet_opt-MN40, onet_remesh-MN40 and attack_data.npz used for all attacks. Could you please tell me if these three defense data (convonet_opt_MN40, onet_opt-MN40. onet_remesh-MN40) are from IF-Defense used on attack_data.npz or MN40?

Very excellent work! But I encountered some problems when making the data set. If it is convenient for you, can you upload the network usage data to Google Drive so that everyone can study your work more conveniently?

I notice that you use targeted attacks. However, the paper does not provide any details in target label choosing. As analysis in previous works, if you choose an easy case to build a target label, the accuracy under attack will be low. So, could you provide more details in choosing target labels. If any possible, you can provide the pre-trained models. I want to test them under un-targeted attacks, which may show the robustness in another perspective.

We want to test our method in defend LG-GAN and AdvPC, but they are written in TF, it is hard to implement them.

If you are willing to provide them, we will be very grateful.

My email is [email protected]

Hey, Ziyi.
We proposed the IT-Defense recently, which utilized the network’s property (such as permutation invariant of input point cloud for Pointnet) to defend attacks. But we don't know how to design an adaptive attack for our defense, could you give any suggestions?

Best wishes!
Jinlai

We test the acc is 43.31% instead 0% when no defense, does anything wrong?

The experiment is base on your data and code.

_Pre-trained Victim Models
We provided the pre-trained weights for the victim models used in our experiments. Download from here and uncompress them into pretrain/. You can also train your victim models by yourself and put them into the folder.

Note that, if you want to use your own model/weight, please modify the variable called 'BEST_WEIGHTS' in config.py._

Hi , I saw this in the readme file in /baseline folder. But I can't find the pretrain folder, does it change to another name?

Hi ziyi,

sorry for bothering you. Can the generated attack images be saved? If yes, which config parameters should I modify?

Thanks!

Hello ziyi, I use the original point cloud to pass through our defense model and provide it to pointnet training, but the classification accuracy of the trained pointnet on the clean point cloud attack_data.npz processed by our defense is reduced. Why is this?

e.g. how to create a dataset used in training convolutional occupancy networks.

thanks